The VO Services Project (formerly, the VO Privilege Project) provides software solutions for Virtual Organization (VO) user registration and fine-grained authorization for access to grid-enabled resources. The infrastructure assists VO and site administrators with user account assignment and management at grid sites, reducing the associated administrative overhead. Authorization is linked to membership of users to VO-defined groups and roles. User-to-account mapping is flexible, dynamic, and based on both VO group/role and least privilege access.
The project is sponsored by US CMS, based at Fermilab, US ATLAS, based at Brookhaven National Laboratory, and the Open Science Grid. The project started in 2003 to build, extend, and integrate elements within the grid authorization architecture developed by the Grid2003 team. The project is composed of a comprehensive suite of software services, maintained in part by the project team and in part by close collaborations with partners Grid Middleware groups, including EGEE, INFN, and Globus. Such suite of services include software project for Virtual Organization management (VOMRS and VOMS), for Authorization Call outs (PRIMA, PRIMA-WG, gPlazma, gLExec), and for authorization policy decisions (GUMS).
The project officially closed on Jun 2009.
How it works, in a nutshell
In order to interact with the Grid, the user requests to her regional Certificate Authority a user grid certificate. This certificate and credentials derived from it represent the user identity to all grid services.
Once in possession of a grid certificate, the user registers with her VO, requesting membership to VO-defined groups and roles. Before interacting with Grid resource gateways, such as Computing Element or Storage Element gateways, the user interacts with the Virtual Organization Management Service (VOMS) and extends her credentials with group and role membership information. Such information declares the intent of using remote site services on behalf of the VO, as a member of certain groups, acting with a certain role.
The extended credentials gets forwarded to a resource gateway, which extracts the relevant user attributes and invokes its authorization call-out module. Depending on the resource gateway contacted, such module is implemented by different software products, such as PRIMA or PRIMA-WS for Computing Elements, gPLazma for Storage Element, or gLExec for Worker Nodes in case of pull-based job workload management. What is common to all of these implementations is the protocol used to communicate with the site-central authorization policy decision points (PDP).
The VO Services project provides two implementations of PDPs: a mapping service, called GUMS (in collaboration with BNL), and a banning service, called SAZ (in collaboration with the FermiGrid group at Fermilab). The mapping service uses the attributes extracted from the user credentials to provide a local user account assignment with appropriate resource access privileges. The banning service enforces site-specific access control rules/policies, such as denying service to banned users of VO groups.
Thanks to a recent authorization interoperability effort, though, the protocol to communicate authorization assertions is now standardized across the VO Service project (for OSG, US CMS, US Atlas), EGEE, Globus, and Condor. This allows for a seamless integration of gateways developed in the US with policy decision points developed in Europe, and vice versa.
Last modified by Gabriele Garzoglio on 06/25/09